GDPR is coming—here’s what Canadian tech companies need to do

PwC

For months, the European Union’s General Data Protection Regulation (GDPR) has felt like a distant point on the horizon—within sight, but still far away. Now, that distant point is a whole lot closer, and getting harder to ignore.

Over the next several months, implementation of the GDPR is likely to be a significant challenge for Canadian tech companies. As I’ve written about before, its stated purpose is to strengthen the protection of personal data, and create a set of ‘data rights’ for EU residents. As a result, it will regulate the flow of data across borders. This will have an immediate impact on companies that rely on cloud services to do business with EU residents, as well as any companies that have European clients or customers, or process EU resident data on behalf of clients.

As you can imagine, the ripples of GDPR will be widely felt. For example: a Canadian marketing agency providing programmatic ad buys that target EU residents; a small HR scheduling software provider with EU-based customers; and there has been ample discussion about how tech startups developing machine learning–based data analytics might be affected. The GDPR has provisions requiring algorithmic transparency and, arguably, the right not to be subject to decisions made via automated processing, leading some to speculate if the GDPR is inadvertently making deep learning “illegal.”

You might say: “this won’t affect us—we don’t have operations in Europe.” But consider your vendor landscape. What about your suppliers? Or their sub-processors? If you regularly deal with third-party vendors, the GDPR ‘web of responsibility’ can be bigger than you think. Tech companies need to be ready to answer to their clients when it comes to exactly how they are complying with the GDPR, and the vetting process they undergo to ensure that their vendors are likewise meeting compliance.

It’s safe to assume regulators will take a proactive approach to enforcement, and focus initially on a few ‘big fish’ outside the EU—companies like Google and Facebook, with hoards of data on EU residents. The recent scandal concerning Cambridge Analytica’s use of private information from over 50 million Facebook profiles to influence both the Trump and Brexit campaigns will no doubt add fuel to this fire.

You need to start thinking differently about how you’re managing EU data now if you want to avoid issues before they surface.

But for the Canadian tech industry, the most significant risks may be less obvious. If your company has a material data breach, expect to receive regulator attention. Going for Series A or Series B funding? Be prepared to answer questions about GDPR compliance. Looking for a buyout? Your data protection practices (or lack thereof) may have a big impact on your valuation. As a tech company, if you’re found non-compliant, you may also risk having entire databases deleted.

This may sound daunting, but there’s no need to panic. Canada has privacy legislation at the provincial and federal levels that share some characteristics with the GDPR. The key is to start understanding its complexities, so that you can be prepared. If your company relies on cloud computing, or has ever used cloud services (and these days, who hasn’t?), now is the time to get your house in order. Here are some initial suggestions:

Perform data mapping and a GDPR assessment

Don’t waste time ‘boiling the ocean’: take a risk-based approach to GDPR compliance and figure out where you might be most susceptible, and then prioritize accordingly. As you assess your risk level, ask yourself: do you offer goods or services to EU residents? Do you have a physical representative inside the EU — do they process any personal data? Does your business perform geolocation, profiling, or tracking for itself or for clients? Don’t forget, you don’t have to be physically doing business in the EU to become entangled in GDPR: any Canadian business that has service providers, supply-chain members, or B2B clients with EU presence may require GDPR compliance.

Privacy protection, now more than ever, can be used as a strategic differentiator to gain market share both locally and internationally.

Conduct a data mapping exercise to determine exactly what data you have, where it’s located, and how it flows both into and out of your organization and across borders. This will also help you determine whether you’re a data controller or a data processor—an important distinction as you work towards compliance. Once you know this, you can start to understand where you handle and store EU data.

The benefits here are two-fold: not only does this process help refine where you need to focus your compliance efforts, but it also helps start compliance in developing an Article 30 register of processing activities, a requirement under the GDPR.

Remember, at the end of the day, the GDPR is a data governance law. The intent isn’t to penalize companies; it’s for companies to gain a true handle on their data flows, so that they can protect user information across the entire data lifecycle from creation and collection to retention and deletion.

European Union

Photo by Thijs ter Haar (Flickr)

Focus on top-priority risks

The GDPR is a wide-ranging regulation, and it’s easy to get bogged down in the different impacts it could have on your business. But we live in the real world, and so do regulators, who will have to make hard choices about their priorities. As a Canadian tech leader, it makes sense to focus on mission-critical business functions and those lines of business that could attract the attention of regulators first, such as your ongoing marketing efforts or the development of any products that leverage personal data in new ways.

Rethink how you manage data

For some companies, the most viable strategy may be to change data management activities on the EU-related portion of the business. How does the EU version of your website track usage? Can you stop serving targeted advertising to individuals in the EU? Are there opportunities to anonymize data so you are not subject to GDPR, or pseudonymize data to reduce GDPR responsibilities? You need to start thinking differently about how you’re managing EU data now if you want to avoid issues before they surface.

Remediate processes

Finally, you should determine what existing practices need to be changed or what new processes you’ll need to achieve GDPR compliance. Depending on the scope of your business with EU residents, that may include establishing clear (and documented) accountability for compliance, reviewing the context for lawful processing and third-party contracts, and developing policies and protocols to execute on any data deletion request. It also means regularly reviewing your processes to ensure you’re staying compliant. Tools like PwC’s GDPR Readiness Assessment Tool can provide a top-down assessment to help prioritize your efforts and benchmark against peers and companies across the globe.

The worst thing you can do right now is be complacent. You might think the GDPR is really a way to go after big-name Silicon Valley companies. But the stated purpose of the regulation is meant to protect EU citizens from companies outside of Europe—as a member of Canada’s high tech industry, that also means you. That doesn’t mean you should be dreading the upcoming changes. Instead, take the opportunity to get your house in order. Privacy protection, now more than ever, can be used as a strategic differentiator to gain market share both locally and internationally. Taking data privacy seriously today could give you the added edge to secure the funding opportunities, buyout, or high valuations you are looking for.

For more information on what to do next, read our overview of GDPR policies and recommended actions or reach out to us directly for guidance.

Photo via Shutterstock

Jordan Prokopy

Jordan Prokopy

Jordan Prokopy is a Director of Cybersecurity & Privacy at PwC Canada and leads the National Privacy Practice. She has a passion for helping companies move from reactive privacy management to a proactive, strategic approach that unlocks the value of data and drives shareholder value and customer trust.